b'                                AUDIT OF SBA\xe2\x80\x99S\n                                EMAIL SYSTEM\n                           AUDIT REPORT NUMBER 4-42\n\n                                 SEPTEMBER 10, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                         U.S. SMALL BUSINESS ADMINISTRATION\n                             OFFICE OF INSPECTOR GENERAL\n                                 WASHINGTON, D.C. 20416\n\n                                                               AUDIT REPORT\n                                                       Issue Date: September 10, 2004\n                                                       Number: 4-42\n\n\n\nTo:             Stephen D. Galvan\n                Chief Information Officer\n\n\n\nFrom:           Robert G. Seabrooks,\n                Assistant Inspector General for Auditing\n\nSubject:        Audit of SBA\xe2\x80\x99s Email System\n\n       Attached is the public version of the audit report on SBA\xe2\x80\x99s Exchange Email system\nissued by Cotton & Company LLP. The report was issued as LIMITED-OFFICIAL-USE.\nDistribution of the full report requires specific authorization by the SBA Office of Chief\nInformation Officer (OCIO) or SBA Office of the Inspector General (OIG).\n\n        The auditors reviewed the SBA\xe2\x80\x99s Exchange Email System settings and configurations\nagainst standards issued by the National Security Administration (NSA) specifically for\nMicrosoft Exchange email systems.\n\n          The auditors concluded that SBA\xe2\x80\x99s Exchange Email system server was vulnerable [FOIA\nEx. 2].\n\n       SBA was in general agreement with the findings and recommendations, but did not\nprovide a written response to the draft audit report. Actions to address the finding and\nrecommendations will be evaluated during the audit resolution process.\n\n      The findings in this report are based on the auditors\xe2\x80\x99 conclusions and the report\nrecommendations are subject to review, management decision and action by your office in\naccordance with existing Agency procedures for follow-up and resolution.\n\n       Please provide us your proposed management decisions by October 31, 2004 on the\nattached SBA Forms 1824, Recommendation Action Sheet. If you disagree with the\nrecommendations, please provide your reasons in writing.\n\x0c       Should you or your staff have any questions, please contact Jeffrey R. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205-[FOIA Ex. 2].\n\n\nAttachments\n\x0c                                      September 9, 2004\n\n\nSubject: Audit of SBA\xe2\x80\x99s E-Mail System at the U.S. Small Business Administration\n\n\n\nWe were engaged to conduct a performance audit of the Exchange E-Mail System at the U.S.\nSmall Business Administration (SBA). We utilized the NSA Guide to the Secure Configuration\nand Administration of Microsoft Exchange 5.x as criteria for this project. The objective of our\nwork was not to provide assurance on overall internal control. Consequently, we do not provide\nan opinion on internal control.\n\nThis report is intended solely for the information and use of SBA management. We would like\nto express our appreciation to the SBA representatives who assisted us in completing our work.\nThey were always courteous, helpful, and professional.\n\nIf you have any questions or comments about this report, please contact me at your convenience.\nThank you.\n\nVery truly yours,\n\nCOTTON & COMPANY LLP\n\n       /S/\nLoren Schwartz, CPA, CISA\n\x0c          PERFORMANCE AUDIT OF THE EXCHANGE E-MAIL SYSTEM AT\n            U.S. SMALL BUSINESS ADMINISTRATION HEADQUARTERS\n\n                               EXECUTIVE SUMMARY\n\nBACKGROUND\n\nCotton & Company LLP was engaged by the Office of the Inspector General, U.S. Small\nBusiness Administration (SBA), to conduct an audit of certain components of SBA\xe2\x80\x99s\ngeneral support system. This report specifically covers our review of the SBA\nExchange E-Mail System at SBA headquarters. The Exchange E-Mail System is\ndeemed critical to the SBA\xe2\x80\x99s operations.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe overall objective of our audit was to review existing information security controls\nand identify weaknesses impacting certain components of the Exchange E-Mail System.\nOur review was not intended to result in the issuance of an opinion, and we do not issue\nan opinion as defined by the American Institute of Certified Public Accountants. We\nreviewed the configurable settings, management controls, and policies and procedures\nsurrounding the email exchange server at SBA headquarters. We used the following\ncriteria for our review:\n\nNSA Guide to the Secure Configuration and Administration of Microsoft Exchange 5.x.\n\nWe conducted this review in accordance with Generally Accepted Government Auditing\nStandards for Performance Audits and accordingly, we performed such tests and other\nauditing procedures as necessary to meet the review objective. A review of the entire\ninternal control structure was not required for the scope of this audit.\n\nWe performed fieldwork from March through June 2004 at SBA headquarters located in\nWashington, D.C., and at Cotton & Company\xe2\x80\x99s Alexandria, Virginia, office.\n\nSUMMARY OF FINDINGS AND RECOMMENDATIONS\n\n      [FOIA Ex. 2].\n\nWe recommend that SBA take actions to minimize the risk of security deficiencies by\ncorrecting the deficiencies disclosed in this report. Specific recommendations are\ndetailed in the results section of this report.\n\x0c                                                      ATTACHMENT A\n\n\n\n                         PUBLIC REPORT DISTRIBUTION\n\nRecipient                                               Copies\n\n\nAssociate Deputy Administrator for\n  Management & Administration                              1\n\nGeneral Counsel                                            3\n\nGovernment Accountability Office                           1\n\nOffice of the Chief Financial Officer\n  Attention: Jeff Brown                                    1\n\x0c'